CVE-2014-7810

Published: Jun 7, 2015Modified: May 6, 2026

5.0

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability: 10.0 / Impact: 2.9

Source: NVD

Description

The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.

Affected (120)

Products: Debian: Debian Linux · Apache: Tomcat

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 7.0

Configuration C

119 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Apache Tomcat	Version 6.0.0
Apache Tomcat	Version 6.0.0 alpha
Apache Tomcat	Version 6.0.10
Apache Tomcat	Version 6.0.11
Apache Tomcat	Version 6.0.12
Apache Tomcat	Version 6.0.13
Apache Tomcat	Version 6.0.14
Apache Tomcat	Version 6.0.15
Apache Tomcat	Version 6.0.16
Apache Tomcat	Version 6.0.17
Apache Tomcat	Version 6.0.18
Apache Tomcat	Version 6.0.19
Apache Tomcat	Version 6.0.1
Apache Tomcat	Version 6.0.1 alpha
Apache Tomcat	Version 6.0.20
Apache Tomcat	Version 6.0.24
Apache Tomcat	Version 6.0.26
Apache Tomcat	Version 6.0.27
Apache Tomcat	Version 6.0.28
Apache Tomcat	Version 6.0.29
Apache Tomcat	Version 6.0.2
Apache Tomcat	Version 6.0.2 alpha
Apache Tomcat	Version 6.0.2 beta
Apache Tomcat	Version 6.0.30
Apache Tomcat	Version 6.0.31
Apache Tomcat	Version 6.0.32
Apache Tomcat	Version 6.0.33
Apache Tomcat	Version 6.0.35
Apache Tomcat	Version 6.0.36
Apache Tomcat	Version 6.0.37
Apache Tomcat	Version 6.0.39
Apache Tomcat	Version 6.0.3
Apache Tomcat	Version 6.0.41
Apache Tomcat	Version 6.0.43
Apache Tomcat	Version 6.0.4
Apache Tomcat	Version 6.0.4 alpha
Apache Tomcat	Version 6.0.5
Apache Tomcat	Version 6.0.6
Apache Tomcat	Version 6.0.6 alpha
Apache Tomcat	Version 6.0.7
Apache Tomcat	Version 6.0.7 alpha
Apache Tomcat	Version 6.0.7 beta
Apache Tomcat	Version 6.0.8
Apache Tomcat	Version 6.0.8 alpha
Apache Tomcat	Version 6.0.9
Apache Tomcat	Version 6.0.9 beta
Apache Tomcat	Version 7.0.0
Apache Tomcat	Version 7.0.0 beta
Apache Tomcat	Version 7.0.10
Apache Tomcat	Version 7.0.11
Apache Tomcat	Version 7.0.12
Apache Tomcat	Version 7.0.13
Apache Tomcat	Version 7.0.14
Apache Tomcat	Version 7.0.15
Apache Tomcat	Version 7.0.16
Apache Tomcat	Version 7.0.17
Apache Tomcat	Version 7.0.18
Apache Tomcat	Version 7.0.19
Apache Tomcat	Version 7.0.1
Apache Tomcat	Version 7.0.20
Apache Tomcat	Version 7.0.21
Apache Tomcat	Version 7.0.22
Apache Tomcat	Version 7.0.23
Apache Tomcat	Version 7.0.24
Apache Tomcat	Version 7.0.25
Apache Tomcat	Version 7.0.26
Apache Tomcat	Version 7.0.27
Apache Tomcat	Version 7.0.28
Apache Tomcat	Version 7.0.29
Apache Tomcat	Version 7.0.2
Apache Tomcat	Version 7.0.2 beta
Apache Tomcat	Version 7.0.30
Apache Tomcat	Version 7.0.31
Apache Tomcat	Version 7.0.32
Apache Tomcat	Version 7.0.33
Apache Tomcat	Version 7.0.34
Apache Tomcat	Version 7.0.35
Apache Tomcat	Version 7.0.36
Apache Tomcat	Version 7.0.37
Apache Tomcat	Version 7.0.38
Apache Tomcat	Version 7.0.39
Apache Tomcat	Version 7.0.3
Apache Tomcat	Version 7.0.40
Apache Tomcat	Version 7.0.41
Apache Tomcat	Version 7.0.42
Apache Tomcat	Version 7.0.43
Apache Tomcat	Version 7.0.44
Apache Tomcat	Version 7.0.45
Apache Tomcat	Version 7.0.46
Apache Tomcat	Version 7.0.47
Apache Tomcat	Version 7.0.48
Apache Tomcat	Version 7.0.49
Apache Tomcat	Version 7.0.4
Apache Tomcat	Version 7.0.4 beta
Apache Tomcat	Version 7.0.50
Apache Tomcat	Version 7.0.52
Apache Tomcat	Version 7.0.53
Apache Tomcat	Version 7.0.54
Apache Tomcat	Version 7.0.55
Apache Tomcat	Version 7.0.56
Apache Tomcat	Version 7.0.57
Apache Tomcat	Version 7.0.5
Apache Tomcat	Version 7.0.6
Apache Tomcat	Version 7.0.7
Apache Tomcat	Version 7.0.8
Apache Tomcat	Version 7.0.9
Apache Tomcat	Version 8.0.0 rc10
Apache Tomcat	Version 8.0.0 rc1
Apache Tomcat	Version 8.0.0 rc2
Apache Tomcat	Version 8.0.0 rc5
Apache Tomcat	Version 8.0.11
Apache Tomcat	Version 8.0.12
Apache Tomcat	Version 8.0.14
Apache Tomcat	Version 8.0.15
Apache Tomcat	Version 8.0.1
Apache Tomcat	Version 8.0.3
Apache Tomcat	Version 8.0.5
Apache Tomcat	Version 8.0.8
Apache Tomcat	Version 8.0.9

Running on/with	Platform Versions
Hp Hp Ux	Version 11.31

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (58)

http://marc.info/?l=bugtraq&m=145974991225029&w=2

Source: secalert@redhat.com

Third Party Advisory

http://rhn.redhat.com/errata/RHSA-2015-1621.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2015-1622.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2016-0492.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2016-2046.html

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1644018

Source: secalert@redhat.com

Patch

http://svn.apache.org/viewvc?view=revision&revision=1645642

Source: secalert@redhat.com

Patch

http://tomcat.apache.org/security-6.html

Source: secalert@redhat.com

PatchVendor Advisory

http://tomcat.apache.org/security-7.html

Source: secalert@redhat.com

PatchVendor Advisory

http://tomcat.apache.org/security-8.html

Source: secalert@redhat.com

PatchVendor Advisory

http://www.debian.org/security/2015/dsa-3428

Source: secalert@redhat.com

http://www.debian.org/security/2016/dsa-3447

Source: secalert@redhat.com

http://www.debian.org/security/2016/dsa-3530

Source: secalert@redhat.com

Third Party Advisory

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Source: secalert@redhat.com

http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html

Source: secalert@redhat.com

http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html

Source: secalert@redhat.com

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

Source: secalert@redhat.com

http://www.securityfocus.com/bid/74665

Source: secalert@redhat.com

http://www.securitytracker.com/id/1032330

Source: secalert@redhat.com

http://www.ubuntu.com/usn/USN-2654-1

Source: secalert@redhat.com

http://www.ubuntu.com/usn/USN-2655-1

Source: secalert@redhat.com

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964

Source: secalert@redhat.com

Third Party Advisory

https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

http://marc.info/?l=bugtraq&m=145974991225029&w=2